Close Menu

Unmasking GhostCall and GhostHire: The New Malware Threat

Staff WriterBy No Comments3 Mins Read6 Views

Essential Insights

  1. Targeted Campaigns: North Korean threat actors are targeting the Web3 and blockchain sectors through two campaigns, GhostCall and GhostHire, under the broader operation SnatchCrypto, attributed to the Lazarus Group’s BlueNoroff sub-cluster.

  2. Malicious Phishing Techniques: GhostCall utilizes fake Zoom calls to lure macOS executives into downloading malware, while GhostHire deceives Web3 developers into executing booby-trapped GitHub repositories under the guise of coding assessments.

  3. Significant Geographic Reach: Victims of GhostCall are primarily located in Japan and various parts of the world, while GhostHire focuses on Japan and Australia, showcasing the global ambition of these cyber threats.

  4. Advanced Malware Development: Research indicates a sophisticated approach with malware capable of targeting both Windows and macOS, enhanced by generative AI for efficient development, leading to comprehensive data acquisition across numerous platforms and services.

The GhostCall Campaign

Threat actors linked to North Korea are launching new malware attacks, specifically on Web3 and blockchain sectors, through campaigns called GhostCall and GhostHire. Researchers from Kaspersky indicate that these operations are associated with the Lazarus Group sub-cluster, BlueNoroff. GhostCall primarily targets macOS devices of executives at tech and venture capital firms. Attackers use direct messaging on Telegram to invite potential victims to fake investment meetings.

Once the victim joins a fraudulent call, they face a fake Zoom page. The page prompts the user to download a malicious update under the guise of fixing connection issues. If victims comply, the malware compromises their system, downloading harmful scripts that initiate multiple infection chains. These chains execute further malware, bypassing security measures. Notably, the attackers have adapted their methods, transitioning from Zoom to Microsoft Teams as platforms for their deceptive schemes.

The GhostHire Campaign

In contrast, the GhostHire campaign focuses on enticing Web3 developers. Attackers approach targets on Telegram, presenting fake job offers linked to fabricated LinkedIn profiles. To build trust, they direct victims to a Telegram bot that impersonates a legitimate company. Subsequently, victims receive a ZIP file containing a seemingly harmless coding task, pressuring them to complete it quickly.

Once executed, the innocent-looking project downloads malicious components tailored to the victim’s operating system. This technique significantly increases the likelihood of infection. Research reveals that these actors systematically target sensitive data across various platforms, highlighting an alarming evolution in their approach. The integration of generative AI into their operations has enhanced the speed and efficiency of malware development, marking a new frontier in cyber threats.

Discover More Technology Insights

Explore the future of technology with our detailed insights on Artificial Intelligence.

Explore past and present digital transformations on the Internet Archive.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.